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FinancialAuditPlanning 


This report presents details of our proposed approach for the audit of 2020-21 
financial statements 


We plan our audit of the financial statements to respond to the risks of material misstatement and material irregularity. This reports sets out how we 
have built our assessment of risk, what we base materiality on, those risks we expect to be significant and how we will respond to those risks. We 
also set out in this report details of the team carrying out the audit, the expected timing of the audit and our fees. 


Actions for the Audit Committee 


Members of the Audit Committee are invited to discuss: We would also like to take this opportunity to enquire of those charged with 


; f governance about the following areas: 
¢ Whether our assessment of the risks of material 


misstatement to the financial statements is complete e Other matters those charged with governance consider may influence the 


including any matters those charged with governance 
consider warrant particular attention during the audit, and 
any areas where they request additional procedures to be 
undertaken; 


Whether management's response to these risks are 
adequate; 


Our proposed audit plan to address these risks; 
Whether the financial statements could be materially 


misstated due to fraud, and communicate any areas of 
concern to management and the audit team 


audit of the financial statements 


The entity's objectives and strategies, and the related business risks that 
may result in material misstatements 


Possibility, knowledge of and process for identifying and responding to the 
risks of fraud 


Oversight of the effectiveness of internal control 
Whether any non-compliance with any laws or regulations (including 
regularity) have been reported to those charged with governance (e.g. 


from staff, service organisations or other sources) 


Policies, procedures and systems for recording non-compliance with laws, 


Sid Sidhu, NAO Engagement Director regulations and internal policies. 


David Eagles, BDO Engagement Partner 


We have prepared this report for the Information Commissioner’s Office’s sole use [although you may also share it with DCMS]. You must 
not disclose it to any other third party, quote or refer to it, without our written consent and we assume no responsibility to any other person. 


OFFICIAL 


|BDO Qi National Audit Office 


Contents FinancialAuditPlanning 


Executive Summary 4 Appendices 

Changes in our assessment of risk 5 

Building our assessment of risk 6 Appendix 1: The NAO audit team 14 
Our response to the significant risks 7 Appendix 2: Scope and responsibilities 15 
Areas of audit focus 9 Appendix 3: Future Accounting Standards 17 
Materiality 10 Appendix 4: Impact of changes in auditing standards 18 
Timing of the audit and audit fee 11 Appendix 5: Guidance for governance 20 
Our audit approach 12 Appendix 6: Fraud matters 21 


|BDO Qi National Audit Office 


Executive Summary 


Audit Risks (pages 7 to 8) 


We plan our audit of the financial statements to respond to the risks 
of material misstatement to transactions and balances and irregular 
transactions. 


We have identified the following risks which have the most significant 
impact on our audit: 


Presumed risk of management R R iti 
override of controls AOM PLAS iTo 


We have identified the following areas of audit focus: 


Post BREXIT activity Going Concern 


FinancialAuditPlanning 


Materiality (page 10) 


e When setting materiality, we consider both qualitative and 
quantitative aspects that would reasonably influence the decisions 
of users of the financial statements. 

Planning materiality has been set based on projected gross 
expenditure, pending review on receipt of draft financial 
statements 


Overall account 
materiality (2%)) £1,130,000 


Error reporting 
threshold 


Audit team, fee and timetable 


¢ Sid Sidhu (NAO Director) will be responsible for the overall 
audit. The full engagement team is presented on page 15. 


* Our audit fee for this year will increase to £33,000. The fee 
reflects the increased work due to changes in auditing 
standards (see also pages 18 and 19), increased quality 
review requirements and a continuing increase in the level of 
work required in respect of revenue recognition, which is 
now reflected as a significant audit risk. 


¢* Weare planning to complete the audit in advance of the summer 2021 
Parliamentary recess. 
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Changes to our assessment of risk since 2019-20 FinancialAuditPlanning 


The risk profile for 2020-21 reflects the significance and judgemental nature of penalties now reflected as a significant audit risk, and IFRS 16 
implementation having been actioned in 2019-20. 

Areas of audit focus reflect new requirements for entities in assessing Going Concern introduced by updated International Standard on Auditing 570, 
and the current consideration about whether or not to prepare a Trust Statement for 2020-21. 


Risks and areas of focus Risks and areas of audit focus identified in 2019-20 that remain New risks and areas of focus 
diminishing or superseded relevant for 2020-2021 for 2020-21 
since 2019-20 


Risks that are broadly Risks that have evolved and 
consistent with last year developed since last year 


Significant risks Significant Risks Significant Risks Significant Risks 


Disclosures in relation to 


; : Presumed risk of management 
implementation of 


override of controls Wu age) 
IFRS 16 Leases in 2019-20 


Areas of Audit Focus Areas of Audit Focus Areas of Audit Focus Areas of Audit Focus 


Post BREXIT activity 


Going Concern 
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Building our assessment of risk FinancialAuditPlanning 


Weare well placed to develop an understanding of the risks to the 
Information Commissioner’s Office drawing on your own assessment, 
the historic assessment of risk and the broader context. 


Information Commissioner’s Office 
(ICO) assessment of risk capability 


Capacity and Financial 
resilience 


The ICO strategic risk register sets out 
o a number of risks. We have engaged , 
1CO with management to understand the Compliance Major incident 
@ background to these risks, movement GENE 
in impact and likelihood and have 
considered how these inform our 


Information Commissioner's Office 


assessment of audit risks. Expectations 
gap 
Past assessment of audit risk Presumed risk of 
management override of 
=; The 2019-20 audit highlighted a controls 
— number of areas of audit risk and 


focus, we have built on this historical 
assessment to consider whether these 
remain risks for the year. 


Disclosures in relation to 
implementation of 
IFRS 16 Leases in 2019-20 


Broader context 


Our risk assessment draws on the 
Wn understanding of the broader 
® environment in which the ICO 
operates. 


Post BREXIT 


developments 
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Our response to the significant risks* FinancialAuditPlanning 


Presumed risk of management override of controls 


Why we have identified this as a risk 


Management is in a unique position to perpetrate fraud because of its ability to manipulate accounting records and prepare 
fraudulent financial statements by using its position to override controls that otherwise appear to be operating effectively. 


Under International Standards on Auditing (UK) there is a presumed risk of management override for all audited bodies. 


Our audit is designed to provide reasonable assurance that the 2019-20 accounts are free from material misstatement, whether 
caused by fraud or error. We are not responsible for preventing fraud or corruption. 


Work we plan to undertake in response 
We will review the design and implementation of controls over journals, accounting estimates and significant unusual transactions. 


Using BDO Advantage, we will test the appropriateness of journal entries recorded in the general ledger and other adjustments 
made in the preparation of the annual accounts. 


We will review accounting estimates for evidence of bias, and where such bias is identified, evaluate the circumstances producing 
the bias to assess whether there is a risk of material misstatement to the accounts. 


We will review financial performance and achievement of performance targets, and their disclosure in the Annual Report and 
Accounts, for evidence of manipulation of data and presentation of results. 


We will evaluate any significant transactions that are outside the normal course of business or that otherwise appear to be unusual. 


Each year we incorporate an element of unpredictability into the nature, timing and extent of our audit procedures in accordance 
with auditing standards. 


*The auditor shall identify and assess the risks of material misstatement at: 

(a) the financial statement level; 

(a) the assertion level for classes of transactions, account balances, and disclosures 
to provide a basis for designing and performing further audit procedures. 


Risks of material misstatement at the financial statement level refer to risks that relate pervasively to the financial statements as a whole and potentially affect many assertions. z 
IBDO Qi National Audit Office 
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Our response to the significant risks* FinancialAuditPlanning 


Revenue Recognition 


Why we have identified this as a risk 


Under International Standard on Auditing 240 “The auditor’s responsibility to consider fraud in an audit of financial statements” 


there is an assumption that revenue recognition is a fraud risk. We are therefore required to target it as part of our planned audit 
response unless we can rebut that risk. 


For civil monetary penalties, there is a risk around cut-off to ensure that income is recognised in the correct period and also of the 
recoverability of debt. Following clarifications relating to both the point of recognition of penalties and also the need to reflect within 


the ICO’s financial statements as assessment of recoverability of that income, the status of this risk has been increased to a 
significant audit risk. 


For Data Protection notification fees , we consider that the risk of material misstatement through fraud and error remains remote 
and therefore we have rebutted the presumption of significant risk on the basis that all income received is as per the set amount 
and therefore there is very little scope for manipulation of revenue without posting extra transactions that have gone through the 
bank As bank reconciliations are performed, these would identify any additional transactions that should not have been posted and 


therefore the risk of revenue recognition can be rebutted. 


We also consider the risk of manipulating the results by wrongly splitting the cost between freedom of information and data 
protection to cover the potential revenue shortfall on data protection fees. However, we concluded that the risk of material 
misstatement due to apportionment of cost is minimal based on our testing of apportionment model in prior years. 


Work we plan to undertake in response 


We will review a sample of determinations made in respect of penalties up to the year end and assess whether they meet the 
criteria necessary to be recognised. 


We will review Management's assessment of recovery (the expected credit loss assessment) for debts due at the year end. 


*The auditor shall identify and assess the risks of material misstatement at: 

(a) the financial statement level; 

(a) the assertion level for classes of transactions, account balances, and disclosures 
to provide a basis for designing and performing further audit procedures. 


Risks of material misstatement at the financial statement level refer to risks that relate pervasively to the financial statements as a whole and potentially affect many assertions. 
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Areas of audit focus FinancialAuditPlanning 


The following are matters which we consider have a direct impact on the financial statements but do not represent significant risks of material 
misstatement as defined by ISA (UK) 315. 


Audit Area Affected Audit Response 


Post BREXIT activity e Income — fees We will review disclosures made in respect of the developments during the year in the 


e Expenditure — staffing Annual Report. 


and other costs, 


f i We will consider the impact on expected income levels and on costs. 
including legal costs 


e Going concern Please see below for going concern. 


Going Concern e Disclosures The revised ISA570 requires the auditor to make a request to management that they 
perform an assessment of the entity’s ability to continue as a going concern. Flagging 
this issue as an area of audit focus is to ensure that this request is noted and included 
on the Audit Committee’s agenda. 
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Materiality FinancialAuditPlanning 


Basis for overall materiality calculation Projected 2020-21 expenditure 


Overall account materiality (2%) £1,130,000 
We report to you all misstatements, whether adjusted or unadjusted, above 
£25,000 £25,000 


In line with generally accepted practice, we have set our quantitative materiality overall population. As the audit progresses our assessment of both quantitative 
threshold for the ICO as approximately 2% of expenditure, which equates to and qualitative materiality may change. 
£1.13 million. 
We also consider materiality qualitatively. In areas where users are particularly 
These levels remain comparable to those used in the prior year. sensitive to inaccuracy or omission, we may treat misstatements as material 
even below the principal threshold(s). 
Our overall account materiality is based on projected gross expenditure. 
A matter is material if its omission or misstatement would reasonably influence These areas include: 


the decisions of users of the financial statements. The assessment of what is e the remuneration report; 
material is a matter of the auditor’s professional judgement and includes e disclosures about losses and special payments; 
consideration of both the amount and the nature of the misstatement. * our audit fee; and 


e irregular income and expenditure. 
The concept of materiality recognises that absolute accuracy in 
financial statements is rarely possible. An audit is therefore designed to provide 
reasonable, rather than absolute, assurance that the financial statements are 
free from material misstatement or irregularity. We apply this concept in 
planning and performing our audit, and in evaluating the effect of identified 
misstatements on our audit and of uncorrected misstatements, if any, on the 
financial statements and in forming the audit opinion. This includes the 
statistical evaluation of errors found in samples which are individually below the 
materiality threshold but, when extrapolated, suggest material error in an 
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Timing of the audit and audit fee FinancialAuditPlanning 


Receipt of first draft 


The timetable comprises an interim visit commencing 
of the accounts 


March 2021 for 1 week and a final visit commencing April 
2021 with certification planned for July 2021. 


Audit Completion 


Audit Planning Report 
Report (ACR) issued 


presented to the audit 
committee 


Interim audit 


Fees 


The fee for the audit is £33,000. 


The principle agreed with Parliament is 
that our fee is set to recover the full 
costs of the audit, rather than make a 
profit from or subsidise an audit. The 
NAO determines its fees with reference 
to standard hourly rates for our staff, 


Initial planning 
meetings and risk 
assessment 


which are reviewed annually, and Jan Feb March April May June July 

updated when costs change. 2021 2021 2021 2021 2021 2021 2021 

Completion of our audit in line with the 

timetable and fee is dependent upon 

ICO: 

* delivering a complete Annual Planning Interim Final fieldwork Completion 
Report and Accounts of sufficient : : fieldwork : e 
quality, subject to appropriate In consultation with l Test expenditure and ACR: present our findings 
internal review, on the date agreed; Management, Audit Test expenditure income and significant and recommendations. 

8 Committee, Internal and income. balances and 

. delivering good quality supporting Audit and other Key disclosures Seek management 

evidence and explanations within stakeholders, review representations. 


the agreed timetable; 


* and making staff available during 
the audit. 


If significant issues arise and we are 
required to perform additional work this 
may result in a change in our fee. We 
will discuss this with you before carrying 
out additional work. 
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ICO’s operations, assess 
risk for our audit and 
evaluate the control 
framework. 


Determine audit strategy. 


C&AG issues opinion. 


Management 

Letter: provide final 
recommendations on 
control matters identified. 


Debrief 


Meeting to discuss 
lessons learned and 
improvements for the 
following year. 
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Our audit approach — Other Matters FinancialAuditPlanning 


Other Matters 


Audit scope and This audit plan covers the work we plan to perform to express an opinion on whether the financial statements are free from material 
strategy misstatement and are prepared, in all material respects, in accordance with the applicable financial reporting framework. 


The plan is also designed to ensure the audit is performed in an effective and efficient manner 


Our audit approach is a risk based approach, ensuring that audit work is focussed on significant risks of material misstatement and 
irregularity. 


In areas where users are particularly sensitive to inaccuracy or omission, a lower level of materiality is applied, e.g. for the audit of 
senior management remuneration disclosures and related party transactions. 


When undertaking our risk assessment we take into account several factors including: 
Inquiries of management 
Analytical procedures 
Observation and inspection of control systems and operations 
Examining business plans and strategies 


Our risk assessment will be continually updated throughout the audit. 


Independence We are independent of ICO in accordance with the ethical requirements that are relevant to our audit of the financial statements in the 
UK, including the FRC’s Ethical Standard as applied to listed entities/public interest entities. We have fulfilled our ethical responsibilities 
in accordance with these requirements and have developed important safeguards and procedures in order to ensure our independence 
and objectivity. 

Information on NAO quality standards and independence can be found on the NAO website: httos://www.nao.org.uk/about-us/our- 
work/governance-of-the-nao/transparency/. 


We will reconfirm our independence and objectivity to the Audit Committee following the completion of the audit. 
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Our audit approach FinancialAuditPlanning 


Other Matters 


Management of personal During the course of our audit we have access to personal data to support our audit testing. 


data We have established processes to hold this data securely within encrypted files and to destroy it where relevant at the conclusion 
of our audit. We confirm that we have discharged those responsibilities communicated to you in the NAO’s Statement on 
Management of Personal Data at the NAO. 
The statement on the Management of Personal Data is available on the NAO website: 
http:/www.nao.org.uk/freedom-of-information/publication-scheme/how-we-make-decisions/our-policies-and-procedures/policies- 
and-procedures-for-conducting-our-business/ 

Use of framework The NAO has appointed BDO LLP to undertake the detailed work to support the C&AG’s opinion. On a day-to-day basis the audit 

partners will be managed and the work carried out by BDO LLP staff, under the direction of the NAO. The responsibility for recommending 
the form of audit opinion to the C&AG shall be retained by the NAO. 

Using the work of We liaise closely with internal audit through the audit process and seek to take assurance from their work where their objectives 

internal audit cover areas of joint interest. 


Following our review of internal audits plans we are not aiming to take assurance from their audit assignments. 


Communication with the Organisations we audit tell us they find it helpful to know about our new publications, cross-government insight and good 
NAO practice. 


Our website holds a wealth of information from latest publications which can be searched, to pages sharing our insights on 
important cross-cutting issues. We also publish blogs and send email notifications to subscribers about our work on particular 
sectors or topics. If you would like to receive these alerts, please sign up at: http://bit.ly/NAOoptin. You will always have the 
option to amend your preferences or unsubscribe from these emails at any time. 
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Appendix 1: The audit team 


The NAO has appointed BDO to undertake the detailed work to support the C&AG’s opinion. On a day-to-day 
basis the audit will be managed and the work carried out by BDO staff, under the direction of the NAO. The 
responsibility for recommending the form of audit opinion to the C&AG shall be retained by the NAO. 


Engagement team 


Sid Sidhu Robert Buysman 

NAO Engagement Director NAO Engagement Manager 

T: 0207 798 7489 T: 0207 798 5409 

E: sid.sidhu@nao.org.uk E: robert.buysman@nao.org.uk 
David Eagles 

BDO Engagement Partner 


T: 01473 320728 
M: 07967 203431 
E: david.eagles@bdo.co.uk 


FinancialAuditPlanning 
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Appendix 2: Scope and responsibilities 


FinancialAuditPlanning 


In line with ISAs (UK) we are required to agree the respective responsibilities of the C&AG/NAO and the Accounting Officer/Client, making clear that the 
audit of the financial statements does not relieve management or those charged with governance of their responsibilities. 
These responsibilities are set out in the Letter of Understanding of 24 May 2017, and are summarised here. 


Accounting Officer/management 
responsibilities 


Scope of the audit e Prepare financial statements in accordance with Data Protection ° 
Act 1998 and HM Treasury guidance and that give a true and fair 
view. 


e Process all relevant general ledger transactions and make these, 
and the trial balance, available for audit. 


e Support any amendments made to the trial balance after the 
close of books (discussing with us). 


e Agree adjustments required as a result of our audit. 


e Provide access to documentation supporting the figures and 
disclosures within the financial statements. 


e Subject the draft account to appropriate management review 
prior to presentation for audit 


Our responsibilities as auditor 


Conduct our audit in accordance with International Standards 
on Auditing (UK) (ISAs (UK)). 


Report if the financial statements do not, in any material 
respect, give a true and fair view. 


Review the information published with the financial statements 
(e.g. annual report) to confirm it is consistent with the accounts 
and information obtained during the course of our audit. 
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Appendix 2: Scope and responsibilities (cont'd) FinancialAuditPlanning 


Accounting Officer/management 
responsibilities 


Our responsibilities as auditor 


Regularity 


Governance 
statement 


Accounting 
estimates and 
related parties 


Ensure the regularity of financial transactions. 


Obtain assurance that transactions are in accordance with 
appropriate authorities, including the organisation’s statutory 
framework and other requirements of Parliament and HM 
Treasury. 


Primary responsibility for the prevention and detection of fraud. 


Establish a sound system of internal control designed to manage 
the risks facing the organisation; including the risk of fraud. 


Review the approach to the organisation’s governance reporting. 


Assemble the governance statement from assurances about the 
organisation’s performance and risk profile, its responses to risks 
and its success in tackling them. 


Board members, with the support of the Audit Committee, 
evaluate the quality of internal control and governance, and 
advise on any significant omissions from the statement. 


Identify when an accounting estimate, e.g. provisions, should be 
made. 


Appropriately value and account for estimates using the best 
available information and without bias. 


Identify related parties. 
Appropriately account for and disclose related party transactions. 


Conduct our audit of regularity in accordance with Practice Note 
10, 'Audit of financial statements of public sector bodies in the 
United Kingdom (2016)’, issued by the Financial Reporting 
Council. 


Confirm the assurances obtained by the ICO that transactions 
are in accordance with authorities. 


Have regard to the concept of propriety, i.e. Parliament’s 
intentions as to how public business should be conducted. 


Provide reasonable assurance that the financial statements (as 
a whole) are free from material misstatement, whether caused 
by fraud or error. 


Make inquiries of those charged with governance in respect of 
your oversight responsibility. 


Confirm whether the governance statement is consistent with 
our knowledge of the organisation, including its internal control. 


Consider whether the statement has been prepared in 
accordance with HM Treasury guidance, including Managing 
Public Money. 


Consider the risk of material misstatement in respect of 
accounting estimates made by management. 


Perform audit procedures to identify, assess and respond to the 
material risks of not accounting for or disclosing related party 
relationships appropriately. 


The revenue recognition risk includes consideration of 
recoverability of penalties and fines. 
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IFRS 17: Insurance 
Contracts 


Effective from 2023-24 


HM Treasury are 
consulting on the public 
sector interpretation of 
this Standard for FReM 
bodies. It expects 
public sector 
implementation to be 
from 2023-24, and to 
develop application 
guidance in due 
course. 


IFRS 17: Insurance Contracts replaces IFRS 4 of the same name. The new standard will apply more standardised and 
rigorous requirements on accounting for insurance contracts. The new standard sets clearer expectations on the recognition, 
classification and measurement of assets and liabilities in relation to insurance contracts. 


Scope 


The scope of the standard covers insurance contracts issued and re-insurance contracts issued or held. An insurance 
contract is defined as: 


“A contract under which one party (the issuer) accepts significant insurance risk from another party (the policyholder) by 
agreeing to compensate the policyholder if a specified uncertain future event (the insured event) adversely affects the 
policyholder.” 


Indications that there is an insurance contract present include: 

e Does the agreement create enforceable rights and obligations between an entity and one or more third parties OR two or 
more entities whose accounts are consolidated into the same group? 

e Is one party required to make a payment to a second party depending on the outcome of a future event? 

e Is the future event that would trigger payments uncertain? 

* Does the specified uncertain future event adversely affect the second party to the contract? 

e Does the payments required by the agreement amount to a transfer of risk from the second party (the policy holder) to 
the first party (the issuer)? 

e ls the risk transferred insurance risk? (a risk other than a financial risk) 


Implementation 


Although the implementation of IFRS 17 is not planned until 2023, the standard should not be underestimated and 
preparations will be required where appropriate. Preparations will be required for the different actuarial, risk and accounting 
processes and could extend to different data, system and processes. 


HMT are considering the application of IFRS 17 to the public sector. The standard reflects appropriate practice for the 
commercial insurance industry and implementation without adaptation may not be suitable for the public sector. HMT have 
already identified the practice of self-insurance across the public sector as an area that may adapted for government bodies. 
They are seeking feedback on where such self-insurance arrangements might exist, so the extent of this undertaking can be 
considered when the standard is adapted for the FReM. 


Action for audit committees 


Audit committees are asked to consider whether, through contractual arrangements or custom and practice, their enterprises 
insure other bodies against specific risks. Where arrangements are identified, entities should engage with HMT on the 
application of the standard within the public sector. Audit committees are requested to continue to monitor new transaction 
streams or arrangements against the criteria of IFRS 17 to ensure all liabilities are appropriately recognised across the 
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Changes in auditing ISA 540 (Revised) - Auditing Accounting Estimates and Related Disclosures applies to audits of all accounting estimates in 
standards: ISA 540 financial statements for periods beginning on or after December 15, 2019. 
(Accounting 


This revised ISA responds to changes in financial reporting standards and a more complex business environment which 
together have increased the importance of accounting estimates to the users of financial statements and introduced new 
challenges for preparers and auditors. 


Estimates) 


The revised ISA requires auditors to consider inherent risks associated with the production of accounting estimates. These 
could relate, for example, to the complexity of the method applied, subjectivity in the choice of data or assumptions or a high 
degree of estimation uncertainty. As part of this, auditors consider risk on a spectrum (from low to high inherent risk) rather 
than a simplified classification of whether there is a significant risk or not. At the same time, we expect the number of 
significant risks we report in respect of accounting estimates to increase as a result of the revised guidance in this area. 


The changes to the standard may affect the nature and extent of information that we may request and will likely increase the 
level of audit work required, particularly in cases where an accounting estimate and related disclosures are higher on the 
spectrum of inherent risk. For example: 


« We may place more emphasis on obtaining an understanding of the nature and extent of your estimation processes and 
key aspects of related policies and procedures. We will need to review whether controls over these processes have been 
adequately designed and implemented in a greater number of cases. 


« We may provide increased challenge of aspects of how you derive your accounting estimates. For example, as well as 
undertaking procedures to determine whether there is evidence which supports the judgments made by management, we 
may also consider whether there is evidence which could contradicts them. 


« We may make more focussed requests for evidence or carry out more targeted procedures relating to components of 
accounting estimates. This might include the methods or models used, assumptions and data chosen or how disclosures 
(for instance on the level of uncertainty in an estimate) have been made, depending on our assessment of where the 
inherent risk lies. 


e You may wish to consider retaining experts to assist with related work. You may also consider documenting key 
judgements and decisions in anticipation of auditor requests, to facilitate more efficient and effective discussions with the 
audit team. 


« We may ask for new or changed management representations compared to prior years. 
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ISA (UK) 570: Going The FRC has issued significant revisions to ISA (UK) 570 - Going Concern. This follows several well-publicised cases of 
Concern perceived audit failure, such as Carillion and BHS. In these cases, the auditors failed to raise concerns in the auditor's report 


about the viability of the companies, despite them collapsing shortly after. 


ENACIVE OM 202021 The changes increase the work required by auditors on going concern. As a result, we will be requesting greater evidence on 


going concern to meet these requirements, including, in all cases, management's assessment of the entity’s ability to 
continue as a going concern for a period of at least one year from certification as required by IAS 1. 


Public sector adaptation 


In the public sector, management’s use of the going concern basis of accounting may be driven by the requirements of the 
financial reporting framework rather than the financial sustainability of the reporting entity. The Financial Reporting Manual 
(FReM) provides that anticipated continuation of the provision of a service in the future will be presumed to provide sufficient 
evidence to prepare the financial statements on a going concern basis. 


Recognising these differences from a private sector situation, Practice Note 10 interprets the requirements of the new ISA 
570. This allows for auditors to take the “continued provision of service approach”. For bodies reporting under the FReM, this 
allows auditors to conduct proportionate risk assessment procedures over going concern where the activities are expected to 
continue in the future. There are still additional new requirements such as requirements to perform specific risk assessment 
procedures on going concern. 


Going concern issues can still arise but these largely occur when Parliament has an intention to abolish, transfer or privatise 
the activities of an entity. Only in the case of dissolution without any continuation of operations would the going concern basis 
cease clearly to be appropriate. In the other cases the auditor considers the basis on which the activities are transferred from 
the viewpoint of the entity that is relinquishing the assets and liabilities at the accounting date. 


Therefore, an unqualified opinion on going concern does not provide assurance over the entity’s financial sustainability nor 
that the operations will not be transferred to another entity. There will be changes to the audit certificate including further 
explanations of the work done on going concern as required by the changes to ISA 570. 


Action for audit committees 


Audit committees are encouraged to review management's going concern assessment on an annual basis and consider 
whether it is appropriate for the entity’s circumstances and the financial reporting framework. For entities where Parliament 
has an intention to abolish, transfer or privatise the activities, audit committees should scrutinise whether the accounts have 
been prepared on the correct basis and whether the financial statements include appropriate disclosures of material 
uncertainties over going concern. 
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Appendix 5: Guidance for governance 


Support to Audit Committees 


FinancialAuditPlanning 


Cyber security and information risk guidance for Audit 


Committees 


We have developed a range of guidance and tools to help public sector 
Audit Committees achieve good corporate governance. This includes 
specific guidance on financial reporting and management during Covid-19 


httos://www.nao.org.uk/search/pi_area/support-for-audit-committees/ 


httos://www.nao.org.uk/report/quidance-for-audit-and-risk- 
committees-on-financial-reporting-and-management-during-covid-19/ 


Audit committees should be scrutinising cyber security 
arrangements. To aid them, this guidance complements government 
advice by setting out high-level questions and issues for audit 
committees to consider. 


https://www.nao.org.uk/report/cyber-security-and-information-risk- 


quidance/ 
Sustainability reporting 
This guidance is to assist with the completion of 
Corporate Governance Code for central government sustainability reports in the public sector. It sets out the 
departments _ minimum requirements, some best practice guidance and 
The document was released in July 2018 and lays out the model Guidance for the underlying principles to be adopted in preparing the 
for departmental boards, chaired by Secretaries aovernan information. 
( IOVEe (lc ) ce 
J~ 


of State and involving ministers, civil servants and 
non-executive board members. The principles outlined in the 
code will also prove useful for other parts of central 
government and they are encouraged to apply arrangements 
suitably adapted for their organisation. 


https:/www.gov.uk/government/publications/corporate- 


governance-code-for-central-government-departments- 
2017 


Good practice in annual reports 


The Building Public Trust Awards recognise outstanding corporate reporting 
that builds trust and transparency. The interactive PDF below illustrates a 
range of good practice examples across annual reports in both the public and 
private sector. 


https://www.nao.org.uk/report/building-public-trust-awards-good-practice-in- 
annual-reports-february-2020/ 
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https://www.gov.uk/government/publications/public-sector- 


annual-reports-sustainability-reporting-quidance-2020-to- 
2021 


Disclosure Guides 


Our disclosure guides for clients help audited bodies prepare an 
account in the appropriate form and that has complied with all 
relevant disclosure requirements. 


http://www.nao.org.uk/report/nao-disclosure-quides-for- entities- 
who-prepare-financial-statements-in-accordance-with-the- 
overnment-financial-reporting-manual-frem/ 
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Appendix 6: Fraud matters 


ISA (UK) 240 ‘The auditor’s responsibility to consider 
fraud in an audit of financial statements’ requires us, 
as your auditors, to make inquiries and obtain an 
understanding of the oversight exercised by those 
charged with governance. 


Fraudulent Financial Reporting: 
Intentional misstatements 

including omissions of amounts or 
disclosures in financial statements 
to deceive financial statement 
users. 


What can 
constitute 
fraud? 


Internal misappropriation of 
assets: Theft of an entity’s 
assets perpetrated by 
management or other employees. 


recipients. 


ISA inquiries 
Our inquiries relate to your oversight responsibility for 
e Management's assessment of the risk that the financial statements may be 


materially misstated owing to fraud, including the nature, extent and frequency 


of such assessments; 
e Management’s process for identifying and responding to the risks of fraud, 


External misappropriation of 
assets: Theft of an entity’s 
assets perpetrated by individuals 
or groups outside of the entity, for 
example grant or benefit 


FinancialAuditPlanning 


Rees ; Incentive/Pressure: 
Rationalisation/attitude: Culture of Management or other employees 
environment enables management to 


rationalise committing fraud — attitude 


have an incentive or are under 


i pressure. 
or values of those involved, or 


pressure that enables them to 
rationalise committing a dishonestact. 


Fraud risk 
factors 


Opportunity: Circumstances 
exist — ineffective or absent 
control, or management ability to 


override controls — that provide 
opportunity 


Audit approach 

We have planned our audit of the financial statements so that we have a 
reasonable expectation of identifying material misstatements and irregularity 
(including those resulting from fraud). Our audit, however, should not be relied 
upon to identify all misstatements or irregularities. The primary responsibility for 


including any specific risks of fraud that management has identified or that has Preventing and detecting fraud rests with management. 


been brought to its attention; 


We will incorporate an element of unpredictability as part of our approach to 


* Management's communication to the Audit Committee (and others charged with address fraud risk. This could include, for example, completing procedures at 
governance) on its processes for identifying and responding to the risks of fraud;!ocations which have not previously been subject to audit or adjusting the timing of 


and 
e Management’s communication, if any, to its employees on its views about 
business practices and ethical behavior. 
We are also required to ask whether you have any knowledge of any actual, 
suspected or alleged fraud. 


some procedures. 


We will report to the Audit Committee where we have identified fraud, obtained 
any information that indicates a fraud may exist or where we consider there to be 
any other matters related to fraud that should be discussed with those charged 
with governance. 
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